about

writing

contact

Google Securing The Web One Discrete Monopolizing Push At A Time

By eric

2011-11-04

Contrary to speculation by some, Google’s decision for encrypting search data is motivated by the goal to make the web as a whole more secure and it’s not driven by economic interests. I think Google is silently forcing the internet to do what they should be doing on their own.Google can’t just tell everyone to make their sites operate over SSL. That would show their monopoly and their power (even though everyone knows it’s there). So after Eric Schmidt spoke to congress about many things (including privacy), Google is finally releasing encrypted search for logged in users. For more information on everything this means with regard to marketing and SEO, I recommend reading this comprehensive article by Search Engine Land. But for security, this has a whole different meaning.

Looking at this from a slightly different perspective, Google is saying that if you just make your site SSL available, then you can continue to have your referrers. And that is ultimately what people (read marketers and SEO folks) want anyway. To oversimplify a bit, making one’s site available over SSL is as easy as going to GoDaddy or the like and buying and installing an SSL certificate on your web server.

But what does having this certificate really do? It allows a website to be loaded in a secure, encrypted environment. It also allows the browser and the user to validate that the site is who they say they are according to a set of authorities like Verisign or Thawte. These are the folks whose job it is to verify that the certificate is being issued to a valid company (note that I said valid, not necessarily reputable as it’s not the job of certificate authorities to determine reputation).

And on a more technical level, as a user, SSL certificates keep traffic between you and the website you are interacting with more secure. Looking at this via the OSI model for networking; since all HTTP traffic happens at the application layer (layer 7), when SSL is not present, everything happens over plain text communications and can be sniffed. SSL, which is a network protocol, occurs at layer 6 (the presentation layer) and therefore can encrypt and decrypt all the communications that happen at layer 7 (if used).

So if we all bit the bullet and added SSL capabilities to our sites, the net result would be a more secure internet from a user perspective. There are plenty worse things that Google could be doing than forcibly making the internet more secure.

Anonymous

The push to move sites to SSL comes with another, probably intended, side effect – which is the ability to censor sites through certificate revocation, which would scare the bejesus out of most people met with browser warnings, and with the flip of a switch could actually allow browser developers to simply not load the content as opposed to only warning.